Phishing is an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails are crafted to appear as if they have been sent from a legitimate organization or known individual. These emails often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user then may be asked to provide personal information, such as account usernames and passwords, that can further expose them to future compromises. Additionally, these fraudulent websites may contain malicious code.

The following documents and websites can help you learn more about phishing and how to protect yourself against phishing attacks:

• • Avoiding Social Engineering and Phishing Attacks
  • Protecting Your Privacy
  • Understanding Web Site Certificates
  • Anti-Phishing Working Group (APWG)
  • Federal Trade Commission, Identity Theft
  • Recognizing and Avoiding Email Scams

Phishing and email attacks are not only increasing as time goes on and our lives and data get stored online, but they’re evolving. Understand how Phishing and Email Fraud are repeatedly affecting executives and companies worldwide and how you can protect yourself.

• • The average financial cost of a data breach is $3.86m (IBM)
  • Phishing accounts for 90% of data breaches
  • 15% of people successfully phished will be targeted at least one more time within the year
  • BEC scams accounted for over $12 billion in losses (FBI)
  • Phishing attempts have grown 65% in the last year
  • Around 1.5m new phishing sites are created each month (Webroot)
  • 76% of businesses reported being a victim of a phishing attack in the last year
  • 30% of phishing messages get opened by targeted users (Verizon)

Report Phishing Sites
US-CERT partners with the Anti-Phishing Working Group (APWG) to collect phishing email messages and website locations to help people avoid becoming victims of phishing scams.

You can report phishing to APWG by sending email to [email protected].



Methods of Reporting Phishing Email to APWG

In Outlook Express, you can create a new message and drag and drop the phishing email into the new message. Address the message to [email protected] and send it.

In Outlook Express you can also open the email message* and select File > Properties > Details. The email headers will appear. You can copy these as you normally copy text and include it in a new message to [email protected].

If you cannot forward the email message, at a minimum, please send the URL of the phishing website.

* If the suspicious mail in question includes a file attachment, it is safer to simply highlight the message and forward it. Some configurations, especially in Windows environments, may allow the execution of arbitrary code upon opening and viewing a malicious email message.

Fraudulent emails are crafted to appear legitimate, such as messages from your bank or another trusted source. They request personal information, which criminals then use for identity theft.

So what should you do if you find yourself a victim of an email scam?

Change Passwords
If you’ve clicked the wrong link or provided personal information in response to a phishing scam, change your passwords immediately. This goes for email and all accounts, including bank accounts and PIN numbers. Create strong, complicated, new passwords that feature a confusing slew of numbers and symbols. Such passwords are much, much harder for cyber-criminals to break.

Notify Credit Agencies
Contact one of the three major credit bureaus as soon as possible and let themknow your account was potentially compromised. Place a fraud alert on your account until the issue has been resolved.

Contact Credit Card Companies
Alert credit card companies and explain the situation. Your credit cards might not have been used yet, but if you feel unauthorized charges are in your future, it’s essential to freeze or cancel your cards. Let your bank know what happened so they can further protect your credit line.

Update Your Software
Update your software to the newest version and run a comprehensive virus scan if you think you’ve infected your system with a virus or other malware. Additionally, you should use encryption, ensure you have a firewall enabled, and regularly back up personal information on an external hard drive. Avoid using public Wi-Fi networks whenever possible, and if you must use a public connection, select the most secure option, such as a Virtual Private Network (VPN). Also, make certain to turn your computer off when not in use, as it’s inaccessible to hackers when powered down.

Check Accounts Regularly
Review your bank and credit card accounts regularly to be sure no suspicious activity is taking place. You may also opt to leave the fraud alert on your credit report for a while until you’re absolutely certain you’re out of the proverbial hot water.

Reporting Resources
Numerous resources are available for reporting an email scam, including the National Fraud Information Center. This company reports fraudulent activity to the federal government and maintains detailed records of fraud incidents. They also provide links concerning whom you can contact within your state for assistance.

Other helpful resources include:
Internet Crime Complaint Center: The FBI and the National White Collar Crime Center run a site called the Internet Crime Complaint Center. It features many tips and other helpful information about avoiding email scams and what to do if you fall victim to one. It also offers a link for filing a claim against a third party who stole your identity or made an attempt. U.S. Department of Justice: The U.S. Department of Justice runs websites that allow you to file email scam complaints. The site also features plenty of helpful tips and advice. National Consumer’s League: This site can help you file a complaint and provides information on how to avoid fraud. Better Business Bureau: The BBB makes it possible to alert others to what happened to you so they don’t fall for the same scams.

Stay proactive until you’re absolutely certain fraud-related problems have subsided, and know what to look for in the future. The more you educate yourself on phishing and other Internet scams, the less likely it is such problems will occur.

t